Allow Connect apps to access permissions without ADMIN scope

Description

Now that Connect apps can pass an accountId to /rest/api/3/permissions/check and access a user’s global properties in the Jira expressions API, it would be great to split out reading permissions from the existing ADMIN scope, which includes a lot of write access to a customer’s instance.

At Easy Agile we’re grateful for the improvements in and but we still only want to read permissions from Jira for the purpose of extending and integrating with Jira’s existing permission scheme.

If these and related APIs, such as /rest/api/3/permissions/ and /rest/api/3/user/permission/search were usable with only the READ scope or a new scope specifically for permissions, it would be far easier for apps to reduce the scopes they use.

Environment

None

Activity

Show:
Satvik Sharma
July 27, 2020, 3:46 AM
Edited

We haven’t made any changes in our apps to use the improvements to these endpoints and thinking about it more, I think it’s still better for us to keep using /mypermissions with ACT_AS_USER. My thinking is:

  • Our apps that check permissions don’t have the ADMIN scope currently.

  • ACT_AS_USER without the ADMIN scope is still a smaller scope footprint than just ADMIN scope by itself.

Andreas Schmidt
July 27, 2020, 7:08 AM

We only include ADMIN scopes to all our apps just to restrict some config pages for admin access.

I can’t see any scenario where you should publish an app without ADMIN/ACT_AS_USER scope as you’ll always run into security issues.

Maciej Retowski
November 30, 2020, 3:23 PM

Hi, We extended permission/check endpoint in such way that it is now possible for connect apps to request other user permissions without having Admin permission. This only applies to the request made from app server using JWT token (AP.request() is not treated as made by App). It should solve the cases when ADMIN or ACT_AS_USER was needed only for checking permissions.

Don’t hesitate to ask questions if you have any.
Cheers.

Purna Chandra
November 30, 2020, 4:49 PM

we are doing a permission check using the code below and we need both user's permission and the user's groups to determine if they are in admin group.

for which we are making a request to /rest/api/3/expression/eval with the below expression

will the change that you described apply to this scenario too? please let us know.

Thank you.

Maciej Retowski
December 2, 2020, 7:48 AM

Hi, the change apply only to the endpoint permission/check so it won’t change anything for the request you provided.

Assignee

Unassigned

Reporter

Satvik Sharma

Labels

None